PAM Pluggable Authentication Module

PAM overview

KeithWinston

PAM is the pluggable authentication module. It is a
system that most Linux distros have incorporated that gives you fine
grained control over how users are authenticated.

The principal feature of the PAM approach is that the
nature of the authentication is dynamically configurable. In other words,
the system administrator is free to choose how individual
service-providing applications will authenticate users. This dynamic
configuration is set by the contents of the single Linux-PAM
configuration file /etc/pam.conf.

Alternatively, the configuration can be set by individual configuration
files located in the /etc/pam.d/
directory. The presence of this directory will cause Linux-PAM to ignore
/etc/pam.conf. (SuSE ships by default with the
pam.d directory and files).

/etc/pam.conf has a list of rules. The format of
each rule is a space separated collection of tokens, the first three
being case-insensitive:

service type control module-path module-arguments

The syntax of files contained in the /etc/pam.d/ directory, are identical
except for the absence of any service field. In this case, the service is
the name of the file in the /etc/pam.d/ directory. This filename must
be in lower case.

service

usually the name of the program, like login or su

type

valid entries are: account; auth; password; and session.

control

what happens when auth fails, usually requisite, required,
sufficient, optional (can also be [valueN=action valueN=action]
where valueN is return code)

module-path

/path/to/the/program (defaults to
/lib/security)

module-args

args

PAM/etc/security
files

Some of the modules have additional configuration files in
/etc/security.

The /etc/security/access.conf can be used to greatly
restrict who can login from where. You can limit console logins to only
specific UIDs, or combinations of specific UIDs and ttys. However, in
addition to configuring this file, you must set up the
PAM login rules to read this file. The pam_access.so library is the program
that enforces the rules. Edit /etc/pam.d/login and
add this line to activate the
/etc/security/access.conf file in
PAM:

# add login restrictions (access.conf)
account required pam_access.so

It goes after the other account required line that handles normal logins
(this is called stacking).

Then, edit the /etc/security/access.conf file to set
up access controls. Here is an example entry so that no users except the
user libadmin can login on tty1. Add this line:

-:ALL EXCEPT libadmin:tty1

Note

root can still access the machine through su or sshd.

The /etc/security/limits.conf can be used to
restrict system resource usage by UID. The pam_limits.so library is the program
that enforces the limits. It must be set up in the
/etc/pam.d/login file as a session rule, usually at
the end of the file:

session required pam_limits.so

The /etc/login.defs file, which is part of the
shadow suite, is also honored by PAM if you include
the pam_pwcheck.so library in
your PAM configuration. It must be set up in the
/etc/pam.d/login file as a password rule:

password required pam_pwcheck.so nullok

With /etc/login.defs, you can control the minimum
password length, expiration time, and many other things.

What programs are PAM enabled?

In modern Linux distributions, most programs are PAM
enabled. For a program to use PAM, it must have the
PAM functions included in it for authentication and
authorization. To check to see if a program is pam enabled, do an ldd on
it and look for PAM libraries linked to it:

The /etc/pam.d/other file is used to check
authentication for any service where a specific pam file has not been set
up. In SuSE 7.3, the default
settings in this file send warning messages to syslog and check the
standard system files for UID/passwords (pam_unix.so).

Pam modules

This is an incomplete overview of the major PAM
modules that are already written and stable. See the
PAM documentation for a complete list. These modules
can be used in any service file in /etc/pam.d to customize the security
policies for the machine.

pam_env.so [authentication]

Sets environment variables for PAM using the
settings in /etc/security/pam_env.conf.

pam_ftp.so -- [authentication]

Allows (forces) anonymous logins for ftp. User must enter ftp or
anonymous for the UID and an e-mail address for the
password.

pam_group [authentication]

This module provides group-settings based on the user's name and
the terminal they are requesting a given service from. This allows
group settings separate from the /etc/group to
be used only in PAM processing. This module
does not authenticate the user, but instead it grants group
memberships (in the credential setting phase of the authentication
module) to the user. Such memberships are based on the service they
are applying for. The group memberships are listed in text form in
the /etc/security/group.conf file. The
pam_group module functions in parallel with the
/etc/group file. If the user is granted any
groups based on the behavior of this module, they are granted in
addition to those entries /etc/group (or
equivalent).

pam_homecheck -- [authentication; session]

Checks the home directory of the user for world writable or dot
files not owned by the user. Check, if the home directory is
world-writeable. If the home directory is world-writeable, or one
of the important dot files is world-writeable or not owned by the
user or root, a warning is printed. The abort argument will deny
permission to log in in such a case.

pam_limits -- [session]

Uses the /etc/security/pam_limits.conf file to
enforce resource limitations on users. Through the contents of the
configuration file, /etc/security/limits.conf,
resource limits are placed on users' sessions. Users of uid=0 are
not affected by this restriction.

pam_listfile -- [authentication]

Allows or denys access to a service based on a text file. filename
contains one line per item listed. If the item is found, then if
sense=allow, PAM_SUCCESS is returned,
causing the authorization request to succeed; else if sense=deny,
PAM_AUTH_ERR is returned, causing the
authorization request to fail.

Here is an example of user the ftpusers file to deny access to
those listed in the file:

This module provides the “you have new mail” service
to the user. It can be plugged into any application that has
credential hooks. It gives a single message indicating the newness
of any mail it finds in the user's mail folder. This module also
sets the Linux-PAM environment variable, MAIL, to the user's mail
directory.

pam_motd -- [session]

Displays the motd file.

pam_nologin -- [authentication]

Provides standard Unix nologin authentication. If the file
/etc/nologin exists, only root is allowed to
log in; other users are turned away with an error message. All
users (root or otherwise) are shown the contents of
/etc/nologin. If the file
/etc/nologin does not exist, this module
succeeds silently.

pam_permit -- [account; authentication; password; session]

This module is very dangerous. It should be used with extreme
caution. Its action is always to permit access. It does nothing
else.

pam_pwcheck -- [password]

This is a module for checking passwords. It reads
/etc/login.defs and makes the checks the
standard Linux shadow suite also does. If configured, it also uses
the cracklib library to check the password.

pam_securetty -- [authentication]

Provides standard Unix securetty checking, which causes
authentication for root to fail unless PAM_TTY
is set to a string listed in the
/etc/securetty file. For all other users, it
succeeds. Here is the standard /etc/securetty
file on SuSE 7.3. Root can
only login on these terminals:

Reads the /etc/security/time.conf file to
restrict when a user can use a service. For example, you can deny
logins during weekends or after normal business hours.

pam_unix -- [account; authentication; password; session]

If configured in /etc/nsswitch.conf, this
module will make NIS or NIS+ queries. This is
the standard Unix authentication module. It uses standard calls
from the glibc NSS libraries to retrieve and set
account information as well as authentication. Usually this is
obtained from the the local files /etc/passwd and
/etc/shadow, from an NIS
map or from the NIS+ passwd.org_dir
table.

pam_wheel -- [authentication]

Only permit root access to members of the wheel (gid=0) group. This
is similar to theFreeBSD
style wheel access, so that you can't su to root unless you are in
the wheel group. It is NOT used by default in SuSE 7.3, but is a nice
addition.